Full Group Summary

Password management must first be defined to avoid confusion as to how you want to implement and run it. Indeed, there are a multiple of variants for controlling access. Peter Stephenson reports.

Password management has come to mean a lot of things, a case where marketing has gotten in the way of clear, unambiguous definitions. We may think of password management as a sub-context of identity management, access management and policy management. In this set of reviews we are looking at ways to manage access to passwords themselves.

Is "single sign-on" (SSO) password management? Some - me included - would argue that it is. In fact, at least one of the products we looked at this month acted a bit like an SSO tool. Caching a collection of passwords for different applications and platforms and accessing the cache with a single password certainly smells like SSO. But without some of the enterprise management capabilities of full-on SSO systems this probably is a bit simplistic to think of as a solid SSO system.

For our purposes, then, we viewed these products as variants on what I refer to as "password carvers". These can be one-to-many or many-to-one tools.

One-to-many tools allow the user to access a collection of systems or applications with a single password. We see some simple examples of that with another type of access control we've looked at in the past. These products allow you to build a table of passwords for various websites and, using a USB dongle with some biometrics you can log into all of the sites automatically.

Many-to-one tools are the true carvers. These typically allow multiple users to access some administrator functions on a system or application without using the true superuser password. There are a few products such as this with good functionality. We looked at some of them too.

What to look for
To begin with, you need to know in a fair amount of depth exactly what you want to use this type of password management for. This is critically important today as there are enough variants in functionality for current generations of several types of products to make a one-size-fits-all approach impractical. It is conceivable that you may need more than one of these products. In that case be sure that you are aware of any agents that need to live on client machines and that, if more than one needs to be used, there are no conflicts.

Another important factor to consider is whether you need enterprise management and whether you will need to deploy these products over a wide geographic area to thousands of users. For some of these products that may pose a challenge. Not all password managers are intended for use in an enterprise. And if they are, they may be targeted at a specific system or application, usually at the administrator level.

Probably the most important factor to consider, beyond the advertised password management functionality, is the password manager management functionality. Lost or destroyed passwords, role mismanagement and general access controls all are part of the considerations for managing the manager. Another important aspect of these products is auditing. Not all offered robust auditing.

However, when you are managing access to a superuser account you need to know who is doing what. A difficulty here is that often logging/auditing does not have the granularity to differentiate users sharing an account.

How we tested
Testing was very straightforward. We set up an environment representative of the environment the tool was intended to manage. Since we had a combination of appliances and software - the appliances being solid enterprise-class products - we needed to set up a simulated enterprise with tools such as Active Directory for a few of these products.

Overall, we were pleased with the way this crop behaved. However, we were struck by the variety of use cases they are intended to support. Those different use cases required a bit of creativity in the lab. Surprisingly, we didn't have a lot of challenges deploying the products. That is good news for system administrators faced with adding this type of password management to the enterprise.

The bottom line, with this type of password manager, is to fit the tool to the application and don't be afraid to mix and match to get what you need. Sadly, that may be necessary and, of course, it adds a level of complexity to its administration.

Do not expect a tool intended for a single user or small enterprise to work well in a large distributed environment. Request examples of places similar to your organisation where the vendor's offering is being used successfully.

SC Media UK arms cyber-security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.